List decoding of RM(1,m) codes and Multi-linear Power Analysis - - PowerPoint PPT Presentation

list decoding of rm 1 m codes and multi linear power
SMART_READER_LITE
LIVE PREVIEW

List decoding of RM(1,m) codes and Multi-linear Power Analysis - - PowerPoint PPT Presentation

Dec 31, 2022 342 likes •679 views

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA List decoding of RM(1,m) codes and Multi-linear Power Analysis attacks (MLPA) Ilya Dumer , Rafael Fourquet , Grigory

slide-1
SLIDE 1

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA

List decoding of RM(1,m) codes and Multi-linear Power Analysis attacks (MLPA)

Ilya Dumer, Rafael Fourquet, Grigory Kabatiansky, Pierre Loidreau, Thomas Roche, C´ edric Tavernier

University of Riverside, CA, USA. Research institute IPPI, Moscow, Russia. University Paris VIII, Paris, France. CELAR, Bruz Laboratoire LIG, Grenoble, France. Communications and Systems, Le Plessis Robinson, France.

29 mai 2009

slide-2
SLIDE 2

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA

Plan

1 List decoding of the First order Reed-Muller codes Reed-Muller codes List Decoding Algorithm Complexity Behaviour 2 Application to cryptanalysis Approximation of a bloc cipher 3 Power Analysis attacks overview 4 Countermeasures 5 (Multi-)Linear Power Analysis Attacks Practical Setup 6 Results and Perspectives Simulations The dpa-contest traces Conclusion and Open perspectives

slide-3
SLIDE 3

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA

Plan

1 List decoding of the First order Reed-Muller codes Reed-Muller codes List Decoding Algorithm Complexity Behaviour 2 Application to cryptanalysis Approximation of a bloc cipher 3 Power Analysis attacks overview 4 Countermeasures 5 (Multi-)Linear Power Analysis Attacks Practical Setup 6 Results and Perspectives Simulations The dpa-contest traces Conclusion and Open perspectives

slide-4
SLIDE 4

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA Reed-Muller codes

Reed-Muller code properties

Definition of RM(1, m) RM(1, m) = {f ∈ GF(2)(1)[x1, x2, · · · , xm]} ; Usual representation : (f (0), f (1), · · · , f (2m − 1)) ; Boolean representation : f = f1x1 ⊕ f2x2 ⊕ · · · ⊕ fmxm code of lenght n = 2m and minimal distance d = n/2. Classical Problem Given a Boolean function g, we want to construct the list {f ∈ RM(1, m) | dH(f , g) ≤ n(1/2 − ǫ)}, which is equivalent to Lg(ǫ) = {f ∈ RM(1, m) | l(g)(f ) =

  • x∈GF(2)m(−1)f (x)⊕g(x) ≥ 2ǫn}.

Johnson Bound In fact Lg(ǫ) ≤

1 4ǫ2

slide-5
SLIDE 5

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA List Decoding Algorithm

List Decoding Algorithms

A simple idea 2ǫn ≤ |l(g)(f )| ≤

  • s∈GF(2)m−i|
  • r∈GF(2)i(−1)g(r,s)⊕f (i)(r)| where

f (i) = f1x1 ⊕ · · · ⊕ fixi. Screnning process : we suggest fi and we check if the inequality is satisfied. ⇒ L(i)

g (ǫ) = {f ∈ RM(1, i) | s

|

  • r∈GF(2)i(−1)g(r,s)⊕f (r)| ≥ 2ǫn}.

In fact M = L(i)

g (ǫ) ≤ 1 4ǫ2 . With E = L(i) g (ǫ)

4nǫ2M ≤

a∈E

  • b∈E
  • s

|

  • r∈GF(2)i(−1)g(r,s)⊕a(i)(r)⊕g(r,s)⊕b(i)(r)| ≤ n.
slide-6
SLIDE 6

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA Complexity

Complexity

Worst case complexity The complexity of this algorithm is in O(n log2

2(ǫ)) [I Du 07].

The complexity of the prob. version is in O(m2/ǫ6) [Kaba 04]. The size of the result can be of size m/2ǫ2, thus optimal complexity could be in O(m/ǫ2). Optimal complexity In fact Goldreich and Levin algorithm : O(m/ǫ4).

  • I. Dumer, G. Kabatiansky and C. Tavernier, not yet published :

O(m/ǫ2).

slide-7
SLIDE 7

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA Behaviour

Behaviour

❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝ ❝✲

❍ ❈ ❈ ❈ ❈ ❈ ❈ ❈ ❈ ❈ ✻ ❏ ❏ ❏ ❏ ❏

log2(1/4ǫ2) log2 L(i)

g (ǫ)

log2(1/ǫ2) i-step

slide-8
SLIDE 8

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA Behaviour

Improvement and complexity

Idea Computing the first steps by a FFT. Complexity of the log2(c/ǫ2) first steps is in O(ǫ−4 log2(1/ǫ2)) A complexity in O(m/ǫ2) should improve pratically the former algorithms.

slide-9
SLIDE 9

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA Approximation of a bloc cipher

Approximation of a bloc cipher

Analyzing a problem A block cipher f can be seen as a vectorial function f : GF(2)l × GF(2)k → GF(2)l. For linear cryptanalysis, we have to find relation α, X ⊕ β, f (X, K) ⊕ µ, K = 0 that hold with the highest probability as possible 1/2 + ǫ. An interpretation of the problem By fixing β, we fall in a problem list decoding of the first order Reed-Muller code, we have to decode the noisy codeword β, f (X, K).

slide-10
SLIDE 10

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA Approximation of a bloc cipher

Results for 8 rounds of DES

Bias ×104 Linear Combination −2.49 PH[15]⊕ PL[0, 7, 18, 24, 31] ⊕ K[4, 9, 13, 31, 33, 41, 44, 52, 54] 4.86 PH[15]⊕ PL[0, 7, 18, 24, 27, 31] ⊕ K[4, 9, 13, 31, 33, 41, 44, 47, 52, 54] −4.68 PH[15]⊕ PL[0, 7, 18, 24, 28] ⊕ K[4, 9, 15, 31, 33, 41, 44, 52, 54] 4.81 PH[15]⊕ PL[0, 7, 18, 24, 27, 28] ⊕ K[4, 9, 15, 31, 33, 41, 44, 47, 52, 54] −2.18 PH[15]⊕ PL[0, 7, 18, 24, 27, 28, 29, 31] ⊕ K[9, 13, 15, 31, 33, 41, 44, 47, 52, 54] −3.67 PH[15]⊕ PL[0, 7, 18, 24, 27, 28, 31] ⊕ K[4, 9, 13, 15, 31, 33, 41, 44, 47, 52, 54] −4.59 PH[15]⊕ PL[0, 7, 18, 24, 30] ⊕ K[4, 9, 30, 31, 33, 41, 44, 52, 54] 2.63 PH[15]⊕ PL[0, 7, 18, 24, 27, 30] ⊕ K[4, 9, 30, 31, 33, 41, 44, 47, 52, 54] 2.3 PH[15]⊕ PL[0, 7, 18, 24, 29, 30, 31] ⊕ K[9, 13, 30, 31, 33, 41, 44, 52, 54] 2.69 PH[15]⊕ PL[0, 7, 18, 24, 27, 29, 30, 31] ⊕ K[9, 13, 30, 31, 33, 41, 44, 47, 52, 54] 3.77 PH[15]⊕ PL[0, 7, 18, 24, 30, 31] ⊕ K[4, 9, 13, 30, 31, 33, 41, 44, 52, 54] 3.23 PH[15]⊕ PL[0, 7, 18, 24, 27, 30, 31] ⊕ K[4, 9, 13, 30, 31, 33, 41, 44, 47, 52, 54] 2.43 PH[15]⊕ PL[0, 7, 18, 24, 27, 28, 29, 30] ⊕ K[9, 15, 30, 31, 33, 41, 44, 47, 52, 54] −3.33 PH[15]⊕ PL[0, 7, 18, 24, 28, 30] ⊕ K[4, 9, 15, 30, 31, 33, 41, 44, 52, 54] −3.13 PH[15]⊕ PL[0, 7, 18, 24, 28, 29, 30, 31] ⊕ K[9, 13, 15, 30, 31, 33, 41, 44, 52, 54] 4.52 PH[15]⊕ PL[0, 7, 18, 24, 28, 30, 31] ⊕ K[4, 9, 13, 15, 30, 31, 33, 41, 44, 52, 54] 2.05 PH[15]⊕ PL[7, 18, 24, 27, 31] ⊕ K[4, 9, 13, 31, 33, 41, 44, 47, 52] 2.48 PH[15]⊕ PL[7, 18, 24, 27, 28, 30, 31] ⊕ K[4, 9, 13, 15, 30, 31, 33, 41, 44, 47, 52] 4.82 PH[15]⊕ PL[7, 18, 24, 31] ⊕ K[4, 9, 13, 31, 33, 41, 44, 52] 2.05 PH[15]⊕ PL[7, 18, 24, 27, 31] ⊕ K[4, 9, 13, 31, 33, 41, 44, 47, 52] 2.49 PH[15]⊕ PL[7, 18, 24, 28, 29, 31] ⊕ K[9, 13, 15, 31, 33, 41, 44, 52] −3.4 PH[15]⊕ PL[7, 18, 24, 27, 28, 31] ⊕ K[4, 9, 13, 15, 31, 33, 41, 44, 47, 52] 3.55 PH[15]⊕ PL[7, 18, 24, 29, 30] ⊕ K[9, 30, 31, 33, 41, 44, 52] −2.31 PH[15]⊕ PL[7, 18, 24, 27, 30] ⊕ K[4, 9, 30, 31, 33, 41, 44, 47, 52] 2.28 PH[15]⊕ PL[7, 18, 24, 27, 28, 29, 30] ⊕ K[9, 15, 30, 31, 33, 41, 44, 47, 52] 5.83 PH[15]⊕ PL[7, 18, 24, 27, 28, 29, 30, 31] ⊕ K[9, 13, 15, 30, 31, 33, 41, 44, 47, 52]

Tab.: Ciphertext bits combination : CL[12, 16] ⊕ CH[7, 18, 24]

slide-11
SLIDE 11

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA Approximation of a bloc cipher

Soft information on the key

We remark that we have a soft information on certain point of the linear function H(X) = K4X1 + (K9 + K31 + K33 + K41 + K44 + K52)X2 + K13X3 + K15X4 + K47X5 + K54X6 Given a sample of (X, f (X, K)), let s0(i) = #{XH(λi) = 0} and s1(i) = #{XH(λi) = 1}. Let y(λi) = s0(i) log2

  • 1/2−ǫi

1/2+ǫi

  • + s1(i) log2
  • 1/2+ǫi

1/2−ǫi

  • If λ does not correspond to a obtained relation, we set y(λ) = 0

Thus we have to decode the vector (y(λ))λ ⇒ Determine H s.t.

λ y(λ)(−1)H(λ) is max.

We reconstruct 6 bits of information with a complexity ≈ 220

slide-12
SLIDE 12

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA

Plan

1 List decoding of the First order Reed-Muller codes Reed-Muller codes List Decoding Algorithm Complexity Behaviour 2 Application to cryptanalysis Approximation of a bloc cipher 3 Power Analysis attacks overview 4 Countermeasures 5 (Multi-)Linear Power Analysis Attacks Practical Setup 6 Results and Perspectives Simulations The dpa-contest traces Conclusion and Open perspectives

slide-13
SLIDE 13

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA

Generalities ([Koch 99])

Fundamental idea The power consumption of a CMOS circuit is correlated with the

  • peration it performs.

Power consumption leakage : starting points Observable only at synchronized points (e.g. data transfers through buses or stored in registers). Two models

Hamming Weight leakage : Number of 1-bits being processed at a given time. Hamming Distance leakage : Number of modified bits during ”k” clock cycles.

slide-14
SLIDE 14

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA

Generalities ([Koch 99])

Fundamental idea The power consumption of a CMOS circuit is correlated with the

  • peration it performs.

Power consumption leakage : starting points Observable only at synchronized points (e.g. data transfers through buses or stored in registers). Two models

Hamming Weight leakage : Number of 1-bits being processed at a given time. Hamming Distance leakage : Number of modified bits during ”k” clock cycles.

slide-15
SLIDE 15

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA

SPA/DPA/HO-DPA ([Koch 99])

SPA : System’s power consumption directly observed at a given time. Allows to break the target device when the execution path depends on the processed data. DPA : SPA at a given time + statistical analysis. Require to express an intermediate data value as a function of input bits and few key bits (less than 32 key bits). HO-DPA : DPA involving several intermediate data values.

slide-16
SLIDE 16

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA

Plan

1 List decoding of the First order Reed-Muller codes Reed-Muller codes List Decoding Algorithm Complexity Behaviour 2 Application to cryptanalysis Approximation of a bloc cipher 3 Power Analysis attacks overview 4 Countermeasures 5 (Multi-)Linear Power Analysis Attacks Practical Setup 6 Results and Perspectives Simulations The dpa-contest traces Conclusion and Open perspectives

slide-17
SLIDE 17

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA

The implementation is safe if one can shut down all information leakages : Suppress synchronization elements. (buses and registers) and/or Randomize the data processed.

(masking techniques [Akka 01, Akka 03, Akka 04, Lv 05])

and/or Add random useless computations. and/or balanced dynamic dual-rail gates designs. and/or ... Feasible ? Maybe ... But at which cost ? e.g. ”Three 32-Bit Random Masks and Six Additional S-Boxes are the Minimal Cost for a Secure DES Implementation” [Lv 05]

slide-18
SLIDE 18

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA

The implementation is safe if one can shut down all information leakages : Suppress synchronization elements. (buses and registers) and/or Randomize the data processed.

(masking techniques [Akka 01, Akka 03, Akka 04, Lv 05])

and/or Add random useless computations. and/or balanced dynamic dual-rail gates designs. and/or ... Feasible ? Maybe ... But at which cost ? e.g. ”Three 32-Bit Random Masks and Six Additional S-Boxes are the Minimal Cost for a Secure DES Implementation” [Lv 05]

slide-19
SLIDE 19

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA

Glued Blocks

Solution Concentrate on the firsts and lasts rounds. i.e. no information leak during these critical rounds ⇒ No observable intermediate value is dependent to less than 32 key bits. Enough ? Introducing a new power analysis attack we show that it is not.

slide-20
SLIDE 20

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA

Glued Blocks

Solution Concentrate on the firsts and lasts rounds. i.e. no information leak during these critical rounds ⇒ No observable intermediate value is dependent to less than 32 key bits. Enough ? Introducing a new power analysis attack we show that it is not.

slide-21
SLIDE 21

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA

Plan

1 List decoding of the First order Reed-Muller codes Reed-Muller codes List Decoding Algorithm Complexity Behaviour 2 Application to cryptanalysis Approximation of a bloc cipher 3 Power Analysis attacks overview 4 Countermeasures 5 (Multi-)Linear Power Analysis Attacks Practical Setup 6 Results and Perspectives Simulations The dpa-contest traces Conclusion and Open perspectives

slide-22
SLIDE 22

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA

Linear approximations

Key idea By the means of classical linear cryptanalysis of block cipher [Mats 93] one can approximate intermediate values as a function

  • f inputs bits and few key bits even when it is strictly dependent to

more than 32 key bits. Formal Definition Let us denote |K|, |P|, |C| respectively the bit-lengths of key, plaintext and ciphertext. Let us consider a vector Π of length |P|, κ of length |K| and Γ of length |C| and a bit b. Π, κ, Γ and b define a linear approximation of bias ǫ over the symmetric cipher if and only if : Pr

P,K(< P, Π > ⊕ < K, κ > ⊕b =< C(P, K), Γ >) ≥ 1/2 + ǫ

slide-23
SLIDE 23

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA

Multi-linear cryptanalysis approach

Optimize the attack assuming we can find n ”good shaped” linear approximations. i.e. Few key bits (k) involved in the linear approximations’ union. Algorithm steps :

1 Proceed as in a classical DPA attack for every linear

approximation.

2 Recover the sub-key by Reed-Muller decoding from the

resulting word (on 2k bits) as if coming from a noisy and erasure channel.

slide-24
SLIDE 24

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA Practical Setup

Correlation analysis The measured quantity is evaluated with respect to the power consumption model (HW or HD) and some basic analysis of power consumption on the target board.

Results on real traces (dpa-contest) are made based on a (very) rough estimate

  • f the Hamming distance.

Twin board Getting the linear approximations from a twin board i.e. Chosen plaintexts and keys Approximations directly linked to the leaked information. much more accurate. No need to choose a power consumption model. No need to know the target block cipher. still need to know where/when to attack.

slide-25
SLIDE 25

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA

Plan

1 List decoding of the First order Reed-Muller codes Reed-Muller codes List Decoding Algorithm Complexity Behaviour 2 Application to cryptanalysis Approximation of a bloc cipher 3 Power Analysis attacks overview 4 Countermeasures 5 (Multi-)Linear Power Analysis Attacks Practical Setup 6 Results and Perspectives Simulations The dpa-contest traces Conclusion and Open perspectives

slide-26
SLIDE 26

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA Simulations

Information leakage = Hamming weight or Hamming distance

Cipher Model rounds # linear equ. # key bits # Plaintexts Pr(Success) DES HW 1 349 30 210 0.79 DES HW 1 349 48 212 0.99 DES HW 2 728 6 29 0.97 DES HW 2 728 48 212 0.95 DES HW 3 164 12 217 0.96 DES HW 3 164 27 220 0.99 DES HD 2 27 16 214 0.71 DES HD 2 27 16 216 0.99 AES HW Last 1410 128 210 0.80 AES HW Last 1410 128 211 0.99

Tab.: Simulation Results

slide-27
SLIDE 27

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA The dpa-contest traces

Information leakage from the dpa-contest traces

From traces "secmatv1 2006 04 0809" http://www.dpacontest.org/

Cipher rounds # linear equ. # key bits # traces DES 1 84 ∼20 1000 DES 1 84 45 20000 DES 2 163 ∼10 1000 DES 2 163 47 36000

Tab.: Attack on DPA-contest traces Results

slide-28
SLIDE 28

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA Conclusion and Open perspectives

Important remark : The best PA attacks (i.e. DPA) are extremely empirical and not fully understood. It is our belief that with the growth of our understanding of how, when and which information is leaked, better counter-measure techniques will emerge. After which PA attacks shall get closer to the classical cryptanalysis, MLPA is an example of such rapprochement. Next Steps on MLPA : Other block ciphers. Better linear approximations. Unknown block cipher attack.

slide-29
SLIDE 29

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA

Questions ?

[Akka 01] M.-L. Akkar and C. Giraud. “An Implementation of DES and AES, Secure against Some Attacks”. In : C ¸etin Kaya Ko¸ c, D. Naccache, and C. Paar, Eds., CHES, pp. 309–318, Springer, 2001. [Akka 03] M.-L. Akkar and L. Goubin. “A Generic Protection against High-Order Differential Power Analysis”. In : T. Johansson, Ed., FSE, pp. 192–205, Springer, 2003. [Akka 04] M.-L. Akkar, R. Bevan, and L. Goubin. “Two Power Analysis Attacks against One-Mask Methods”. In : B. K. Roy and W. Meier, Eds., FSE, pp. 332–347, Springer, 2004. [Jako 98]

  • T. Jakobson. “Cryptanalysis of Block Ciphers with Probabilistic Non-linear Relations of Low

Degree”. In : H. Krawczyk, Ed., CRYPTO, pp. 212–222, Springer, 1998. [Koch 99]

  • P. Kocher, J. J. E, and B. Jun. “Differential Power Analysis”. In : , pp. 388–397,

Springer-Verlag, 1999. [Koet 03]

  • R. Koetter and A. Vardy. “Algebraic soft-decision decoding of Reed-Solomon codes”. IEEE

Transactions on Information Theory, Vol. 49, No. 11, pp. 2809–2825, 2003. [Loid]

  • P. Loidreau, R. Fourquet, and C. Tavernier. “Finding good linear approximations of block

ciphers and its application to cryptanalysis of reduced round DES”. Can be found here : http ://ced.tavernier.free.fr/. [Lv 05]

  • J. Lv and Y. Han. “Enhanced DES Implementation Secure Against High-Order Differential

Power Analysis in Smartcards”. In : C. Boyd and J. M. G. Nieto, Eds., ACISP, pp. 195–206, Springer, 2005. [Mats 93]

  • M. Matsui. “Linear Cryptoanalysis Method for DES Cipher”. In : EUROCRYPT,
  • pp. 386–397, 1993.

[Suda 97]

  • M. Sudan. “Decoding of Reed Solomon Codes beyond the Error-Correction Bound”. J.

Complexity, Vol. 13, No. 1, pp. 180–193, 1997.

slide-30
SLIDE 30

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA

The end.

slide-31
SLIDE 31

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA

references I

M.-L. Akkar and C. Giraud. “An Implementation of DES and AES, Secure against Some Attacks”. In : C ¸etin Kaya Ko¸ c, D. Naccache, and C. Paar, Eds., CHES,

  • pp. 309–318, Springer, 2001.

M.-L. Akkar and L. Goubin. “A Generic Protection against High-Order Differential Power Analysis”. In : T. Johansson, Ed., FSE, pp. 192–205, Springer, 2003. M.-L. Akkar, R. Bevan, and L. Goubin. “Two Power Analysis Attacks against One-Mask Methods”. In : B. K. Roy and W. Meier, Eds., FSE, pp. 332–347, Springer, 2004.

slide-32
SLIDE 32

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA

references II

  • G. K. I. Dumer and C. Tavernier.

“List Decoding of the First Order Binary Reed Muller Codes”. Problems of Information Transmission, Vol. 43, No. 3,

  • pp. 225–232, 2007.
  • G. Kabatiansky and C. Tavernier.

“List decoding with Reed Muller codes of order one”. In : nine International Workshop On Algebraic and Combinatorial Coding Theory, pp. 230–236, 2004.

  • P. Kocher, J. J. E, and B. Jun.

“Differential Power Analysis”. In : , pp. 388–397, Springer-Verlag, 1999.

slide-33
SLIDE 33

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA

references III

  • J. Lv and Y. Han.

“Enhanced DES Implementation Secure Against High-Order Differential Power Analysis in Smartcards”. In : C. Boyd and J. M. G. Nieto, Eds., ACISP, pp. 195–206, Springer, 2005.

  • M. Matsui.

“Linear Cryptoanalysis Method for DES Cipher”. In : EUROCRYPT, pp. 386–397, 1993.